some hardening

2 files changed, 8 insertions, 2 deletions

diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index baa707741..786e0d360 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -142,7 +142,7 @@ errexit:
 static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
         assert(fname);
 
-        if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
+        if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
         }
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 7b5b61f2f..d7147b8ea 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -23,6 +23,7 @@
 #include <unistd.h>
 #include <net/if.h>
 #include <stdarg.h>
+#include <sys/resource.h>
 #include <sys/wait.h>
 #include "../include/seccomp.h"
 
@@ -77,6 +78,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
 
         umask(027);
 
+        // https://seclists.org/oss-sec/2021/q4/43
+        struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 };
+        if (setrlimit(RLIMIT_CORE, &tozero))
+                errExit("setrlimit");
+
         // apply filters
         if (filtermask & SBOX_CAPS_NONE) {
                 caps_drop_all();
@@ -289,7 +295,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
         if (waitpid(child, &status, 0) == -1 ) {
                 errExit("waitpid");
         }
-        if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+        if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
                 fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
                 exit(1);
         }